#vulnerability

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.0 ATTENTION: Low attack complexity Vendor: iCam365 Equipment: P201 and QC021 Vulnerabilities: Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of these vulnerabilities could result in unauthorized exposure of camera video streams and camera configuration data. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following iCam365 camera model is affected: ROBOT PT Camera P201: Versions 43.4.0.0 and prior Night Vision Camera QC021: Versions 43.4.0.0 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 Missing Authentication for Critical Function CWE-306 The affected products allow unauthenticated access to Open Network Video Interface Forum (ONVIF) services, which may allow an attacker unauthorized access to camera configuration information. CVE-2025-64770 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L). A CVSS v4 sco...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Festo SE & Co. KG Equipment: Didactic products Vulnerability: Improper Input Validation 2. RISK EVALUATION Successful exploitation of this vulnerability could allow the creation or overwriting of arbitrary files in the engineering system. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Festo reports that the following products contain affected versions of Siemens TIA-Portal: Siemens TIA-Portal V15 prior to V17 Update 6 installed on Festo Hardware MES PC: All versions Siemens TIA-Portal V18 prior to V18 Update 1 installed on Festo Hardware MES PC: All versions Siemens TIA-Portal V15 prior to V17 Update 6 installed on Festo Hardware TP260 (<June2023): All versions Siemens TIA-Portal V18 prior to V18 Update 1 installed on Festo Hardware TP260 (<June2023): All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 Improper Input Validation CWE-20 A vulnerability has been identified in Siemens Totally Integrated Automation Po...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Festo SE & Co. KG Equipment: MSE6-C2M/D2M/E2M Vulnerability: Hidden Functionality 2. RISK EVALUATION Successful exploitation of this vulnerability could lead to a complete loss of confidentiality, integrity, and availability. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Festo reports the following products are affected: MSE6-C2M-5000-FB36-D-M-RG-BAR-M12L4-AGD: All versions MSE6-C2M-5000-FB36-D-M-RG-BAR-M12L5-AGD: All versions MSE6-C2M-5000-FB43-D-M-RG-BAR-M12L4-MQ1-AGD: All versions MSE6-C2M-5000-FB43-D-M-RG-BAR-M12L5-MQ1-AGD: All versions MSE6-C2M-5000-FB44-D-M-RG-BAR-AMI-AGD: All versions MSE6-C2M-5000-FB44-D-RG-BAR-AMI-AGD: All versions MSE6-D2M-5000-CBUS-S-RG-BAR-VCB-AGD: All versions MSE6-E2M-5000-FB13-AGD: All versions MSE6-E2M-5000-FB36-AGD: All versions MSE6-E2M-5000-FB37-AGD: All versions MSE6-E2M-5000-FB43-AGD: All versions MSE6-E2M-5000-FB44-AGD: All versions 3.2 VULNERABIL...

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

### Summary An authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queries. By manipulating the `display` parameter in an API request, an attacker can exfiltrate, modify, or delete any data in the database, leading to a full system compromise. ### Details The vulnerability is located in the `retrieve()` method within `src/API/Manager.php`. User input from the `display` GET parameter is processed without proper validation. The code strips the surrounding brackets `[]`, splits the string by commas, and then passes each resulting element directly into the `selectRaw()` function of the query builder. ```php // User input from 'display' is taken without sanitization. $select = !empty($request['display']) ? explode(',', substr((string) $request['display'], 1, -1)) : null; // ... // The unsanitized input is passed directly to `selectRaw()`. foreach ($select as $s) { $query->selectRaw($s); } ``` Since `selectR...

### Summary The esm.sh CDN service contains a Template Literal Injection vulnerability (CWE-94) in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the `?module` query parameter, esm.sh converts it to a JavaScript module by embedding the CSS content directly into a template literal without proper sanitization. An attacker can inject malicious JavaScript code using `${...}` expressions within CSS files, which will execute when the module is imported by victim applications. This enables Cross-Site Scripting (XSS) in browsers and Remote Code Execution (RCE) in Electron applications. **Root Cause:** The CSS module conversion logic (`router.go:1112-1119`) performs incomplete sanitization - it only checks for backticks (\`) but fails to escape template literal expressions (`${...}`), allowing arbitrary JavaScript execution when the CSS content is inserted into a template literal string. ### Details **File:** `server/router.go` **Lines:** 1112-1119 ...

### Summary The esm.sh CDN service is vulnerable to a Path Traversal (CWE-22) vulnerability during NPM package tarball extraction. An attacker can craft a malicious NPM package containing specially crafted file paths (e.g., `package/../../tmp/evil.js`). When esm.sh downloads and extracts this package, files may be written to arbitrary locations on the server, escaping the intended extraction directory. Uploading files containing `../` in the path is not allowed on official registries (npm, GitHub), but the `X-Npmrc` header allows specifying any arbitrary registry. By setting the registry to an attacker-controlled server via the `X-Npmrc` header, this vulnerability can be triggered. ### Details **file:** `server/npmrc.go` **line:** 552-567 ```go func extractPackageTarball(installDir string, pkgName string, tarball io.Reader) (err error) { pkgDir := path.Join(installDir, "node_modules", pkgName) tr := tar.NewReader(unziped) for { h, err := tr.Next...

## Summary When using Astro's Cloudflare adapter (@astrojs/cloudflare) with `output: 'server'`, the image optimization endpoint (`/_image`) contains a critical vulnerability in the `isRemoteAllowed()` function that unconditionally allows `data:` protocol URLs. This enables Cross-Site Scripting (XSS) attacks through malicious SVG payloads, bypassing domain restrictions and Content Security Policy protections. ## Details On-demand rendered sites built with Astro include an `/_image` endpoint for image optimization. While this endpoint is designed to restrict processing to local images and authorized remote domains (configured via `image.domains` or `image.remotePatterns`), a critical vulnerability exists in the underlying validation logic. The `isRemoteAllowed()` function in [packages/internal-helpers/src/remote.ts](https://github.com/withastro/astro/blob/b8ca69b97149becefaf89bf21853de9c905cdbb7/packages/internal-helpers/src/remote.ts) (lines 128-131) unconditionally allows ALL `data...

### Summary A vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system. ### Details - **Title**: Arbitrary Local File Read in Astro Development Image Endpoint - **Type**: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - **Component**: `/packages/astro/src/assets/endpoint/node.ts` - **Affected Versions**: Astro v5.x development builds (confirmed v5.13.3) - **Attack Vector**: Network (HTTP GET request) - **Authentication Required**: None The vulnerability exists in the Node.js image endpoint handler used during development mode. The endpoint accepts an `href` parameter that specifies the path to an image file. In development mode, this parameter is processed without adequate path val...